"IBM's Cindy Compert cooks up a batch of GDPR preparation"
[searchsecurity.techtarget.com...]

This GDPR thing is such a massive mess, every article and presentation you read contradicts the last one. No one is clear on what it is who is impacted or who isn't, what data is or isn't included. Given the extreme fines, I'm going to predict that this is just going to cause a bunch of wasted money and resources spent on court battles and lawyers.

who is impacted

Every business or entity in the World, no matter where they are installed, from the moment they handle personal data of European citizens, which includes European citizens, who are traveling/living outside of the EU. And not only online businesses.

who isn't

As a business / entity, you are not concerned if you are not handling personal data from European citizen.

what data is or isn't included

"Personal data". this is defined as data which can identify an individual. Name, address, photo (don't forget about it), e-mail address, any kind of identification number, including IP address.

The GDPR is NOT forbidding the collect, storage, processing or sharing of these data, but, you have to inform in a clear, simple and VISIBLE way users, of what data you are collecting, why, what you are doing with them, etc... AND you have to receive the EXPLICIT consent of these users to do so. You also have to permanently delete these information, at the request of users. (which includes deleting the data from backups). If you are changing your usage of the data, you have to obtain the explicit consent of the user before doing something else with their data. You also have to be able to output all the data you have about a given user.

Also, if the data you collected are exposed to third part, (hacking for example), you have 24 hours to report it to one of the European authorities.

You are not supposed to collect more data than what you really need, and you should keep them after you no longer need them.

the GDPR is also encouraging the idea to anonymize a maximum these data.

Roughly this is it.

@Travis
Yes roughly. But roughly doesn't cut it. It is the exactly that is unclear. Several points you mentioned are contradicted in the presentation you linked to earlier. So my point is there are plenty of opinions on the roughly and no opinions on the exactly. The "exactly" will likely be determined in the courts over the next few decades. In the meanwhiles the small guys are going to be chasing their tails wasting money and resources trying to comply while the big guys spend millions on lawyers.

In the meanwhiles the small guys are going to be chasing their tails wasting money and resources trying to comply while the big guys spend millions on lawyers.

Yes, exactly. There is an untold amount of costs for the small business and organizations, along with confusion. It's already another "cookie law" frustration, but on a far larger scale. Small business, non-profits, charities, clubs and associations are all impacted, yet don't have the resources (or money) to comply. My local charitable resource is more than frustrated over this. They haven't yet found someone to advise them without charging fees, which they can ill afford.

Tell your users/members/etc:

- what personal data you collect, (or that third parts collect through you, which is considered data sharing)
- why you need these data,
- what you do with these data,
- with whom you share them,
- how long you keep/store them,

- obtain their explicit consent for doing so.

- if a user asks for his data to be delete, do so.,

- If you are hacked, and these data are in the wild, report this to one of the EU authority within the 24h

- This can be a good to create a document for internal use, where you list all you do, how, and so on, so you can get a global vision and better control the data. (this is mandatory for companies with more than 250 employees, they also require to have a dedicated person in charge of data/privacy protection)

That's all. If you do this, you won't risk anything.

If the EU comes after you somehow, this can only be about "tiny details", that you might be asked to adjust, the EU will explain what is wrong and what to do to fix it, there is no risk of fine in that case. Just show your willingness to do things the right way. Especially for small structures the EU knows to be tolerant in this matter.

If you are doing things rights since the beginning, this shouldn't require a lot of work to adapt to the GDPR.

Also, this is since 2012, that all this was decided. So it's been 6 years to conform The definitive text was set 2 years ago. So it left plenty of time to adapt.

72 hours, you have 72 hours to report a breach after you notice it.

My bad!

"GDPR: Are you ready for the EU's huge data privacy shake-up?"
[bbc.com...]

"GDPR Compliance for U.S. Companies and 9 Things Every Businesses Needs to Know Right Now., according to FLANK"
[chron.com...]

- obtain their explicit consent for doing so.

- if a user asks for his data to be delete, do so.

You don't need explicit consent in most real-world scenarios.

Major reasons not to need explicit consent include the performance of a contract, and complying with non-GDPR law, such as tax law.

Similarly, you do not need to delete (though you may not be able to "process" data - in other parts of the GDPR, "processing" includes writing to and recalling from a database) where you have other obligations.

Then there is "legitimate interests" which just drives a horse and cart through the rest of GDPR, until tested in court and limited by case law.

Interpretation of "Legitimate interests" may be a big issue under Common Law vs Civil Law systems.

You don't need explicit consent in most real-world scenarios.

it might be a matter of interpretation, but I have the impression you NEED to obtain the explicit consent, and if the user is not giving it, then you just don't provide the service.

Have a look at the ICO site [ico.org.uk], who are the Agency responsible for enforcement in the UK.

Lifted from that link (emphasis mine):

The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.

And if I'm allowed to quote at greater length (styling theirs, imperfectly replicated):

What are the lawful bases for processing?

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Source: [ico.org.uk...]

Ok Shaddows, thank you.

So I guess we don't have to obtain the explicit consent of a user, if we record his IP address, when he posts a message at a forum. Since several laws require to keep this kind of trace. In that case, informing the user that his ip will be saved should be enough?

US companies are not exempt from Europe’s new data privacy rules
[cnbc.com...]

In that case, informing the user that his ip will be saved should be enough?

That's my understanding.

Lots of new T&C / TOS / Privacy pages are now being published. I suspect around early May, slow-movers should be able to get a good feel of how the early adopters have interpreted things.

Quite a lot of companies are now publishing GDPR info/compliance pages. That was unexpected, but we might follow suit.

Things are happening on the ground now. Stuff gets real.

Indeed Shaddows, I am receiving GDPR inspired communications daily now.

... and GDPR spam.

GDPR -- I keep parsing as German Democratic People's Republic.

My question here is how can I identify a person as EU citizen so that I can protect his data. I am not in control of the entire human population browsing the internet. If I am based in USA and serve USA clients and some guy from Poland decides to make a research on some of my products, why am I in the wrong for not protecting his/her rights. It just makes absolutely no sense.

Well, you can block the EU by IP with reasonable precision. Or, you can comply with the law in the jurisdiction you are operating in. I mean, if you are a Russian hacker with your presence and servers in Russia, you are still breaking American law if you hack American computers.

Or, you can just take the risk that you are small-fry, not worth pursuing and probably are not going to have a fine that is practically enforceable levied against you.

But your profile says you are in Bulgaria, which is in the EU and therefore you are subject to the GDPR regardless of who you are serving.

If that were true, that you are based in the USA and only want to serve US citizens, then there are plenty of solutions for that (see Patagonia and Adobe and the concept of their differential pricing for US and ROTW, for example).

But, of course, it isn't true. You published the information on the internet and you left it open for everyone who wants to see.

The EU doesn't have any problem with that.

What it does say is that if you want to collect any information about an EU citizen while they are browsing your site then they have the right to know what information that is, what you are doing with it and to give or deny their permission.

If you don't offer that option then you are in breach of the EU citizen's legal rights and they, or their representatives, may have recourse against your action.

If you are a corner shop selling alcohol you do not have the right to sell it to minors because of laws passed to prevent under-age drinking. And you have to take steps to fall in line with the law.

If you are a website offering information to EU citizens you have to inform them if you are collecting and storing information which would affect their rights to privacy. And you have to take steps to fall in line with the law.

I may be wrong, but I think what Nutterum is asking is if "some guy from Poland" is in the U.S on vacation for example and is browsing his U.S. hosted website - which is showing personalized ads for people NOT in the EU - How does Nutterum know that this guy browsing his site is Polish and not a U.S. citizen.

Law is not strictly about "EU Citizens". It is about anyone resident in the EU at the point of data collection, plus any Controllers and Processors based in the EU.

US businesses become liable when they are exposed to people resident in the EU, for example by the magic of the interweb. Or they have Processing duties contracted out to them.

I don't know about others here in the EU, I have done quite a lot of work on GDPR readiness but a couple of important issues remain where I am waiting on other companies to take various steps. It has been like pulling teeth to get them to take GDPR seriously (or at least to grasp that it will significantly affect how they continue their business) and now it seems whatever they do actually do will be very last minute which I am not at all happy with.

I hear you, but don't worry. The ICO (assuming you are in the UK) have said that they will not be fining in the first instance- just issuing guidance and expecting you to comply.

All you have to do is show the correct intent and direction of travel.

Hi Shaddows, yes I am in the UK and it on the specific advice of the ICO that I am demanding these things. A controller processor agreement in one case and the other that they resolve their use of IP addresses and cookies on a web service. Neither of the companies concerned seem to be taking action with any urgency which is quite frustrating.

Since this is the closest 'general' GDPR thread I could find...

A German news site (heise.de) is reporting about the first legal implications of GDPR and, interestingly enough, the approach being taken by lawyers is under the law protecting businesses from 'unfair competition' (UWG in German).

In a handful of cases so far, businesses have received cease-and-desist legal warnings along with claims for compensation in high four figures for the costs involved in the implementation of GDPR - which, allegedly, the recipient businesses in question have not implemented or have implemented incorrectly.

In two cases, the complaint involved the use of Google Analytics without opt-in and opt-out facilities and in another case the setting of cookies without explicit permission.

Hi stever, will be interesting to see the outcome of those cases.

n a handful of cases so far, businesses have received cease-and-desist legal warnings along with claims for compensation in high four figures for the costs involved in the implementation of GDPR - which, allegedly, the recipient businesses in question have not implemented or have implemented incorrectly.

Isn't it up to regulator to make a business pay (or not) ?